Fortinet white logo
Fortinet white logo

FortiGate-7000 Handbook

Firmware upgrades

Firmware upgrades

All of the FIMs and FPMs in your FortiGate-7000 system run the same firmware image. You upgrade the firmware using the primary FIM GUI or CLI just as you would any FortiGate product. During the upgrade process, the firmware running on all of the FIMs and FPMs upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will be briefly interrupted by the upgrade process. The entire firmware upgrade takes a few minutes. depending on the number of FIMs and FPMs in your FortiGate-7000 system. Some firmware upgrades may take longer depending on other factors, such as the size of the configuration and whether a DP processor firmware upgrade is included.

Before beginning a firmware upgrade, Fortinet recommends that you perform the following tasks:

  • Review the latest release notes for the firmware version that you are upgrading to.
  • Verify the recommended upgrade path as documented in the release notes.
  • Back up your FortiGate-7000 configuration.
Note

Fortinet recommends that you review the services provided by your FortiGate-7000 before a firmware upgrade and then again after the upgrade to make sure the services continues to operate normally. For example, you might want to verify that you can successfully access an important server used by your organization before the upgrade and make sure that you can still reach the server after the upgrade, and performance is comparable. You can also take a snapshot of key performance indicators (for example, number of sessions, CPU usage, and memory usage) before the upgrade and verify that you see comparable performance after the upgrade.

If you are operating two FortiGate-6000s in HA mode with uninterruptable-upgrade and session-pickup enabled, firmware upgrades should only cause a minimal traffic interruption. Use the following command to enable these settings. These settings are synchronized to all FPCs.

config system ha

set uninterruptable-upgrade enable

set session-pickup enable

end

Verifying that a firmware upgrade is successful

After a FortiGate-7000 firmware upgrade, you should verify that all of the FIMs and FPMs have been successfully upgraded to the new firmware version.

After the firmware upgrade appears to be complete:

  1. Log into the primary FIM and verify that it is running the expected firmware version.

    You can verify the firmware version running on the primary FIM from the dashboard or by using the get system status command.

    You can also use the diagnose sys confsync status | grep in_sy command to see if the FIMs and FPMs are all synchronized. In the command output in_sync=1 means the FIM or FPM is synchronized. In_sync=0 means the FIM or FPM is not synchronized, which could indicated the FIM or FPM is running a different firmware build than the primary FIM.

  2. Log into the other FIMs and the FPMs, and in the same way confirm that they are also running the expected firmware version.

    You can log into individual FIMs or FPMs using the system management IP address and the special port number for each module. For example, https://192.268.1.99:44303 connects to the FPM in slot 3. The special port number (in this case 44303) is a combination of the service port (for HTTPS the service port is 443) and the slot number (in this example, 03).

    If you are using a management module console port to connect to the primary FIM CLI you can use Ctrl-T to switch between the CLIs of each of the modules.

Firmware upgrades

Firmware upgrades

All of the FIMs and FPMs in your FortiGate-7000 system run the same firmware image. You upgrade the firmware using the primary FIM GUI or CLI just as you would any FortiGate product. During the upgrade process, the firmware running on all of the FIMs and FPMs upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will be briefly interrupted by the upgrade process. The entire firmware upgrade takes a few minutes. depending on the number of FIMs and FPMs in your FortiGate-7000 system. Some firmware upgrades may take longer depending on other factors, such as the size of the configuration and whether a DP processor firmware upgrade is included.

Before beginning a firmware upgrade, Fortinet recommends that you perform the following tasks:

  • Review the latest release notes for the firmware version that you are upgrading to.
  • Verify the recommended upgrade path as documented in the release notes.
  • Back up your FortiGate-7000 configuration.
Note

Fortinet recommends that you review the services provided by your FortiGate-7000 before a firmware upgrade and then again after the upgrade to make sure the services continues to operate normally. For example, you might want to verify that you can successfully access an important server used by your organization before the upgrade and make sure that you can still reach the server after the upgrade, and performance is comparable. You can also take a snapshot of key performance indicators (for example, number of sessions, CPU usage, and memory usage) before the upgrade and verify that you see comparable performance after the upgrade.

If you are operating two FortiGate-6000s in HA mode with uninterruptable-upgrade and session-pickup enabled, firmware upgrades should only cause a minimal traffic interruption. Use the following command to enable these settings. These settings are synchronized to all FPCs.

config system ha

set uninterruptable-upgrade enable

set session-pickup enable

end

Verifying that a firmware upgrade is successful

After a FortiGate-7000 firmware upgrade, you should verify that all of the FIMs and FPMs have been successfully upgraded to the new firmware version.

After the firmware upgrade appears to be complete:

  1. Log into the primary FIM and verify that it is running the expected firmware version.

    You can verify the firmware version running on the primary FIM from the dashboard or by using the get system status command.

    You can also use the diagnose sys confsync status | grep in_sy command to see if the FIMs and FPMs are all synchronized. In the command output in_sync=1 means the FIM or FPM is synchronized. In_sync=0 means the FIM or FPM is not synchronized, which could indicated the FIM or FPM is running a different firmware build than the primary FIM.

  2. Log into the other FIMs and the FPMs, and in the same way confirm that they are also running the expected firmware version.

    You can log into individual FIMs or FPMs using the system management IP address and the special port number for each module. For example, https://192.268.1.99:44303 connects to the FPM in slot 3. The special port number (in this case 44303) is a combination of the service port (for HTTPS the service port is 443) and the slot number (in this example, 03).

    If you are using a management module console port to connect to the primary FIM CLI you can use Ctrl-T to switch between the CLIs of each of the modules.